Problem configuring OpenWRT in AP mode with trunked VLAN connecting to WiFi

Hello,

I’m trying to replace my existing UniFi WiFi network with OpenWRT APs. The network configuration is fairly simple and comprises an OpenBSD router connected to the upstream network with an internal Trunked VLAN with 3 VLAN networks (home/guest/mgmt). I want to connect the OpenWRT APs directly to the Trunked VLAN and then bridge the associated home/guest WiFi networks to the appropriate VLAN (all of the DHCP/DNS/Routing/Firewall is done by the OpenBSD box) - the mgmt VLAN is just there to manage the OpenWRT APs (the APs have an IP address on this VLAN but not on the home/guest VLANs). The rough layout is shown below (there will eventually be 4 APs but I’m just using one for testing at the moment)

               ┌───────────┐                              ┌────────────┐                   
               │           │                              │            │                   
               │ OpenBSD   │                              │ OpenWRT    ├───► SSID: home    
               │           │                              │ AP Mode    │     (192.168.50.x)
               │ DHCP      │                              │            │                   
Upstream ◄─────┤ DNS       ├─────────────────────────────►│            │                   
               │ Router/NAT│ Trunked VLAN                 │            │                   
               │ Firewall  │ vlan50 = home (192.168.50.x) │ Access via │                   
               │           │ vlan60 = guest (192.168.60.x)│ mgmt VLAN  ├───► SSID: guest   
               │           │ vlan70 = mgmt (192.168.70.x) │ 192.168.70.x     (192.168.60.x)
               └───────────┘                              └────────────┘                   

The AP configuration is shown below.

I can connect to the AP via the mgmt VLAN and can see/connect to the home/guest WiFi SSIDs however it doesn't look like the packets are being forwarded to the upstream Trunked VLAN.

I’ve run tcpdump on the WiFi interfaces (phy0-ap0 & phy0-ap1) and can see the client connecting and associated DHCP/ARP traffic but the traffic doesn't show up on the upstream interface. I’ve also tried looking at the individual VLAN devices (br-lan.50 & br-lan.60) using tcpdump and I don't see any traffic on these either even though these are connected to the associated interfaces (vlan50 & vlan60).

I’m guessing that I have missed off something to connect the devices/interfaces/wifi-ifaces - I’ve done a bit of searching in the docs/forum but a lot of the VLAN examples seem to use devices with switches (I’m using a UniFi U6-Lite which just has an single LAN port) or the LuCi GUI has changed.

Any ideas?

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.6.73",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Ubiquiti UniFi 6 Lite",
	"board_name": "ubnt,unifi-6-lite",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3f:685e:d48::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '50'
	option name 'br-lan.50'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '60'
	option name 'br-lan.60'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '70'
	option name 'br-lan.70'

config interface 'vlan50'
	option proto 'none'
	option device 'br-lan.50'

config interface 'vlan60'
	option proto 'none'
	option device 'br-lan.60'

config interface 'vlan70'
	option proto 'static'
	option device 'br-lan.70'
	option ipaddr '192.168.70.5'
	option netmask '255.255.255.0'
	option gateway '192.168.70.1'
	list dns '192.168.70.1'

root@OpenWrt:~# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '2g'
	option channel '1'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'home'
	option encryption 'none'
	option network 'vlan50'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'none'
	option network 'vlan60'

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect ‘1'

(dnsmasq and odhcpd are disabled in /etc/rd.d)

You need to define some bridge-vlans, e.g.

config bridge-vlan
   option device 'br-lan'
   option vlan '50'
   list ports 'lan:t'

Or you can do this in the GUI on the Devices->edit br-lan->Bridge VLAN Filtering page.

Then each VLAN does need an Interface of proto none to start up the bridge, but you already have those.

The type 8021q sections don't instantiate anything in the kernel or hardware, they are there apparently only for LuCI record keeping to populate lists. As a CLI user I never needed them.

Thanks, that fixed the problem.

Regards, Paul